0

I'm trying to create a private API using AWS API Gateway. In my understanding, I have 2 options to implement private API Gateway, 1) restrict sources with API Gateway resource policy and 2) restrict sources within a VPC with VPC Endpoint.

My question is: For option 1, can I set the condition in resource policy to allow traffics only from a specific VPC and achieve the same result as option 2?

# API Gateway resource policy
{
  ...

  "Condition": {
    "StringEquals: {
      "aws:sourceVpc": "vpc-123abc"
    }
  }
}

If yes, what's the different between them? What are the advantages to adopt VPC Endpoint to implement private API Gateway?

Chiamin
  • 77
  • 9
  • The option 1 seems doesn't work. It must create a VPC Endpoint to restrict a source VPC. Does condition "aws:sourceVpc" only work with VPC Endpoint? – Chiamin Jan 11 '22 at 08:08

1 Answers1

0

Here are the ways you can use to access private API gateways: How to invoke a private API

The condition that works with VPC endpoints in your case is aws:SourceVpce, with here the ID of execute-api endpoint that you deployed in your aws account. Here you can find list of AWS global condition context keys: AWS global condition context keys.

ced3eals
  • 28
  • 4
  • Can I use a VPC Endpoint in account A to access private API Gateway in account B? Thanks in advanced! – Chiamin Jan 12 '22 at 03:23
  • Yes of course. In this case, you will need to authorize project A vpc-id in the account B private API Gateway resource based policy. The condition will look like: "StringEquals: { aws:sourceVpce": "PROJECT_A_VPCE_ID" } – ced3eals Jan 12 '22 at 13:31
  • I read some solutions use VPC Endpoint Service as a entry for private API Gateway, and in another account, use VPC Endpoint to access the private API Gateway. What are the advantage of adopting VPC Endpoint Service? (similar to [this](https://aws.amazon.com/blogs/compute/building-private-cross-account-apis-using-amazon-api-gateway-and-aws-privatelink/)) – Chiamin Jan 13 '22 at 08:08